Consistent logging of encoded path evaluation failure

jhoeller · jhoeller · commit 98ad23bef8e2 · 2018-03-27T17:04:59.000+02:00
Issue: SPR-16616
diff --git a/spring-webflux/src/main/java/org/springframework/web/reactive/resource/PathResourceResolver.java b/spring-webflux/src/main/java/org/springframework/web/reactive/resource/PathResourceResolver.java
@@ -193,7 +193,12 @@ private boolean isInvalidEncodedPath(String resourcePath) {
 			// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
 			try {
 				String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
-				return (decodedPath.contains("../") || decodedPath.contains("..\\"));
+				if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
+					if (logger.isTraceEnabled()) {
+						logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]");
+					}
+					return true;
+				}
 			}
 			catch (UnsupportedEncodingException ex) {
 				// Should never happen...
diff --git a/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java b/spring-webmvc/src/main/java/org/springframework/web/servlet/resource/PathResourceResolver.java
@@ -284,7 +284,12 @@ private boolean isInvalidEncodedPath(String resourcePath) {
 			// Use URLDecoder (vs UriUtils) to preserve potentially decoded UTF-8 chars...
 			try {
 				String decodedPath = URLDecoder.decode(resourcePath, "UTF-8");
-				return (decodedPath.contains("../") || decodedPath.contains("..\\"));
+				if (decodedPath.contains("../") || decodedPath.contains("..\\")) {
+					if (logger.isTraceEnabled()) {
+						logger.trace("Ignoring invalid resource path with escape sequences [" + resourcePath + "]");
+					}
+					return true;
+				}
 			}
 			catch (UnsupportedEncodingException ex) {
 				// Should never happen...
